Security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle products

Vulnerability in TLS Protocol during Renegotiation [CVE-2009-3555]

A security vulnerability in the TLS protocol (TLS 1.0 or later and SSLv3) may allow
an unauthenticated, remote attacker to conduct man-in-the-middle
(MITM) type of attacks where chosen plain text may be injected
as a prefix in an user's TLS session.
This vulnerability does not allow one to decrypt or modify the intercepted network communication.

Exact nature of the impact depends on the application making use of
the TLS facility.

Sun is evaluating the impact of the issue on various
products which make use of the TLS libraries. We are working to
fix the TLS implementations according to the TLS protocol
standard extensions RFC 5746.

Solaris Kernel SSL:
Solaris Kernel SSL proxy module KSSL
does not support client renegotiation or rehandshake. It ignores the rehandshake message which is an allowed
behavior by the SSL/TLS specification. Hence it is not vulnerable to this issue.
KSSL (see ksslcfg(1M)) is available in Solaris 10 and OpenSolaris.
It may be used to workaround the described issue in server applications.

Java:
The Java Secure Socket Extension (JSSE) included in the following Java SE
and Java SE for Business releases for Windows, Solaris, and Linux are affected:

GnuTLS libraries in Solaris:
The issue
does not affect any server applications distributed with Solaris which use the GnuTLS library. At this time we do not plan to issue any interim fixes to GnuTLS libraries. Fixes to GnuTLS distributed with Solaris would be provided when the proposed TLS extensions become a standard.

About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.